Meta

Category: Web

I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed. For more information on this, see the Burpsuite help. To configure an upstream proxy for Burpsuite, such as OWASP ZAP, follow these steps:

First, configure your upstream proxy that will sit between Burpsuite and the web application to listen on a different port since they both bind TCP 8080 by default. Here I’ve configured ZAP to listen on port 8082 :

ZAP Proxy Port Configuration

Then, edit Burpsuite’s configuration to point to the upstream proxy. Here, I set a wildcard destination host using ‘*’ and set the proxy host to ‘localhost’ and proxy port to ‘8082’:

Here is a small sideproject that I had wanted to do for awhile, but hadn’t made the effort until I got some downtime in a hotel.

Problem:
Creating a unique URl/address/lander/etc that you can find easily, but is hard to locate for a outside party even if they have access to full packet capture (albeit not likely analyzing realtime).

Solution:
Not inventing the wheel here, but I hadn’t made it myself so why not learn. This same sort of tactic is used by people that hardprogram malware to beacon out to a generated list of domains which shifts according to time. My personal idea for this one is that you have a command and control login page you don’t want people brute forcing, or maybe you are just storing data scraped from cookies on a server and you don’t want it to be static. This allows you to very easily have a resource changing it’s name in a way which you can figure out from any computer that has access to sha1sum. Because you can go to http://www.sha1-online.com/ that is every device with a NIC interface….

Problems:
Obviously if you use this on blahblah.com/crazyuniqueid.php anyone on the defense side worth a darn will write a rule to block or trigger any callouts to blahblah.com.

If you use this generator to make subdomains like 2341321#@@E@E.blahblah.com the same tactics apply. That being said, what if you use this code with a smtp library to send an email out to randombunchofcrap@gmail.com and this changes every 24 hours? A bit more difficult to detect.

This is V1, I hope it will grow in capabilities.

Rundown:
On the server with your landing page run this script. python nameofscript.py “secret code” path/to/file filename.php
Set it and forget it.

Then wherever you are and you want to login, or check hash dumps that are being posted, etc.
type into your command *nix prompt echo -n “YEAR-MONTH-DAY:secret code” | sha1sum
take that sha1sum output and slap a .php on there and go to your url. login and rejoice that google isn’t indexing it.

This is what it looks like when you run it initially on the server……..

This is how you find your landing page wherever you are. Or through an online sha1sum creator…

NOTE: I used system calls for hashing, etc. This will not run on a non *nix server. So if you are running this on windowz it is most likely going to have to use python libs and be compiled by the likes of pyexec. If you’ve gone that far you might as well duplicate this functionality in powershell and then post it here 🙂

Inspired by Jack Daniel’s “Shoulders of InfoSec Project”, this post will be focused on the people and technologies behind one of the most prevalent attacks on web sites: SQL injection.

According to OWASP, injection is the number one attack vector for web applications. Injection attacks can target many different contexts in a web application: HTML, PHP, ASP, Javascript, SQL, etc. Any context in which an interpreter parses input to execute instructions is potentially vulnerable to an injection attack. There are several – many, rather – excellent tutorials on Injection attacks available on the web. Here’s a brief selection of SQL injection attacks for reference: